Anomaly-Based Insider Threat Detection Using Deep Autoencoders

In recent years, the malicious insider threat has become one of the most significant cyber security threats that an organisation can be subject to. Due to an insider's natural ability to evade deployed information security mechanisms such as firewalls and endpoint protections, the detection of...

Full description

Saved in:
Bibliographic Details
Published in:IEEE ... International Conference on Data Mining workshops pp. 39 - 48
Main Authors: Liu, Liu, De Vel, Olivier, Chen, Chao, Zhang, Jun, Xiang, Yang
Format: Conference Proceeding
Language:English
Published: IEEE 01.11.2018
Subjects:
Australia
Computers
cyber security
data analytics
Data mining
deep autoencoder
Deep learning
Electrical engineering
Feature extraction
Insider threats
Software
ISSN:2375-9259
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:In recent years, the malicious insider threat has become one of the most significant cyber security threats that an organisation can be subject to. Due to an insider's natural ability to evade deployed information security mechanisms such as firewalls and endpoint protections, the detection of an insider threat can be challenging. Moreover, compared to the volume of audit data that an organization collects for the purpose of intrusion/anomaly detection, the digital footprint left by a malicious insider's action can be minuscule. To detect insider threats from large and complex audit data, in this paper, we propose a detection system that implements anomaly detection using an ensemble of deep autoencoders. Each autoencoder in the ensemble is trained using a certain category of audit data, which represents a user's normal behaviour accurately. The reconstruction error obtained between the original and the decoded data is used to measure whether any behaviour is anomalous or not. After the data has been processed by the individually trained autoencoders and the respective reconstruction errors obtained, a joint decision-making mechanism is used to report a user's overall maliciousness score. Numerical experiments are conducted using a benchmark dataset for insider threat detection. Results indicate that the proposed detection system is able to detect all of the malicious insider actions with a reasonable false positive rate.
ISSN:2375-9259
DOI:10.1109/ICDMW.2018.00014